By BECKY RUTHERFORD
Los Alamos

Got an old router- like from 2010 or earlier, also known as end of life (EOL)? You might be in for a cyber incident, at least according to a warning issued by the FBI last month. Routers dated 2010 or earlier are likely no longer receiving software updates, which leaves them open to vulnerabilities.

Recently the FBI released a list of EOL routers with remote administration/management enabled that were breached by cyber actors using variants of TheMoon malware. This malware allows actors to install proxies on victim routers and conduct cybercrime anonymously.

What is a proxy? According to the FBI press release – “A proxy server is a system or router that provides a gateway between users and the Internet. It is an intermediary between end-users and the web pages they visit online. A proxy is a service that relays users’ Internet traffic while hiding the link between users and their activity.

Cyber actors use proxy services to hide their identities and location. When actors use a proxy service to visit a website to conduct criminal activity, like stealing cryptocurrency or contracting illegal services, the website does not register their real IP address and instead registers the proxy IP.”

What is TheMoon Malware? According to the FBI press release- “TheMoon malware was first discovered on compromised routers in 2014 and has since gone through several campaigns.

TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script. The malware contacts the command and control (C2) server and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network.”

Sounds like a whole lot of nope to me! If you have an older router, you should replace it ASAP.

Here is a list of some of the exploited routers:

• Cisco RV320 and RV325
• Netgear ProSAFE BR200
• Zyxel USG and ZyWALL models
• DrayTek Vigor 2960 and 3900
• D-Link DIR-655, DIR-866L, DIR-652, DSR-250N, DSR-500N
• TP-Link WR740N and similar low-cost EOL models
• Linksys E-series older models (E1200, E2500, etc.)
• Cradlepoint E100

Some good advice- anything you have that is so old it isn’t receiving software updates should likely be replaced! These updates are the same as the updates that keep your operating systems up to date, and they provide important security updates that are needed to protect your devices from attack.

Here is some more advice from the FBI:

• If the router is at end of life, replace the device with an updated model if possible.
• Immediately apply any available security patches and/or firmware updates for your devices.
• Login online to the router settings and disable remote management/remote administration, save the change, and reboot the router.
• Use strong passwords that are unique and random and contain at least 16 but no more than 64 characters. Avoid reusing passwords and disable password hints.
• If you believe there is suspicious activity on any device, apply any necessary security and firmware updates, change your password, and reboot the router.

Replace those EOL routers with new ones, and follow all security recommendations, such as disabling remote management/administration, updating your password from the default, and keeping the firmware up to date. Stay safe online, and if you have an ancient router get out there and get yourself a new one!

Cyber security meme

Cyber security meme